Closed Bug 361467 Opened 13 years ago Closed 13 years ago

Crash [@ js_watch_set] with certain watcher functions

Categories

(Core :: JavaScript Engine, defect, P1, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: mrbkap)

References

(Blocks 1 open bug)

Details

(4 keywords)

Crash Data

Attachments

(1 file)

js> this.watch('x', print); x = 5;
x undefined 5
Bus error

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000004

Thread 0 Crashed:
0   js 	0x00024304 js_watch_set + 928 (jsdbgapi.c:386)
1   js 	0x0009b280 js_Interpret + 16404 (jsinterp.c:2953)
2   js 	0x00095d34 js_Execute + 960 (jsinterp.c:1643)
3   js 	0x00021564 JS_ExecuteScript + 64 (jsapi.c:4194)
4   js 	0x000031c4 Process + 904 (js.c:268)
5   js 	0x00003d8c ProcessArgs + 2304 (js.c:490)
6   js 	0x0000a210 main + 640 (js.c:3098)
...

I'm testing with the patch for bug 361346.  I haven't tested to see if this crash occurs without it.
I'm fixing this forthwith.

/be
Assignee: general → brendan
Depends on: 361346
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Attached patch FixSplinter Review
There's no guarantee that we have a scripted function. I should have seen this earlier.
Assignee: brendan → mrbkap
Status: NEW → ASSIGNED
Attachment #246249 - Flags: review?(brendan)
Comment on attachment 246249 [details] [diff] [review]
Fix

D'oh, mrbkap is too fast for me!

Looks like the 1.8 branch jsdbgapi.c needs some love, in several places.

/be
Attachment #246249 - Flags: review?(brendan) → review+
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 246249 [details] [diff] [review]
Fix

Necessary null defense, automatic approval ;-).

/be
Attachment #246249 - Flags: approval1.8.1.1?
Attachment #246249 - Flags: approval1.8.0.9?
Note to self: don't verify this until bug 361346 is fixed.

RCS file: /cvsroot/mozilla/js/tests/js1_5/Regress/regress-361467.js,v
done
Checking in regress-361467.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-361467.js,v  <--  regress-361467.js
initial revision: 1.1
done
Flags: in-testsuite+
Depends on: 361360
Comment on attachment 246249 [details] [diff] [review]
Fix

Fixed on the 1.8 branch along with bug 361360 (this is a null-defense followup patch to that bug's patch).

/be
Attachment #246249 - Flags: approval1.8.1.1?
Keywords: fixed1.8.1.1
Attachment #246249 - Flags: approval1.8.0.9?
Looks like there was an underlying assert lurking on all branches. See Bug 361856. 
No longer blocks: 349611
Blocks: 349611
verified fixed 1.8.1, 1.9.0 linux/mac*/windows.
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_watch_set]
You need to log in before you can comment on or make changes to this bug.